Australian Kids' Smartwatch Maker Hit By Same Bug Again

An Australian company that sells a GPS tracking smartwatch for children accidently introduced a security flaw in its software that could have allowed hackers to spoof the location of a child as well as download the personal information of its customers.

It's unclear how long the bug was in the code, but it was fixed between Jan. 24 and 25. TicTocTrack has not notified its users that the problem cropped up again and says it is not required to under mandatory breach reporting laws.

"There is no immediate security threat to our customers, and there has been no breach that has resulted in any harm to our customers that would require any kind of public release," says Karen Cantwell, CEO of iStaySafe.

The first time the bug occurred, TicTocTrack notified users by email and text message and issued a news release. Cantwell says the decision to notify users was made at that time because the company had to take its systems offline, which meant the smartwatches wouldn't work.

Troy Hunt, an Australian data breach expert who was involved in examining TicTocTrack the first time it had this bug, says the norm for situations like this one is for a public disclosure statement that describes how long the bug existed.

"The industry expectation when personal information is accessed by an unauthorized party is that those impacted are promptly notified," Hunt says. "Depending on jurisdiction, disclosure to the local regulatory body may also be required."

Identical Bug

The bug was discovered for the second time in January by Gordon Beeming, a South African developer who was considering buying two smartwatches for his children.

Beeming says he came across a conference talk by Hunt mentioning the first TicTocTrack bug and decided to see if the service was still vulnerable. It was.

Beeming says he was able to obtain the personal data of at least 1,000 registered users. The types of data includes names, email addresses, phone numbers and profile photos.

With Hunt's permission, Beeming downloaded the data from Hunt's account, which was accurate. He also pulled the data for Hunt's 7-year-old daughter, including the phone number for the SIM card in her TicTocTrack watch.

Beeming says he has since deleted all of the data, and he published a blog post about his findings on March 18.

The bug is classified as an insecure direct object reference. Anyone logging into a TicTocTrack account could increment an integer called a "family identifier," which is assigned to a registered account. By incrementing the number in that field, the details for another account is displayed.

TicTocTrack's back-end APIs use odata. During his research, Beeming was also able to remove a filter from a storage container that held TicTocTrack's personal account data in bulk, which resulted in all of the data from that container being pulled into his computer.

"Using this, I was able to give Troy his data," Beeming writes.

But the bug wasn't just limited to exposing personal account data. Ken Munro, a partner at Pen Test Partners who was involved in disclosure of this incident as well as the first one, says it would have been possible to modify the reported location of children.

"The vulnerability was the same insufficiently authorized odata request as we found originally, so location spoofing would have been possible," Munro says.

Hunt wrote an in-depth blog post when the first bug arose. To demonstrate the seriousness of the bug, he allowed Vangelis Stykas, a security consultant with Pen Test Partners, to experiment with his daughter Elle's account.

Stykas was able to add himself as a parent on Elle's account, and one night he called Elle. Hunt published a video of the demonstration.

TicTocTrack: No Reporting Requirement

Cantwell, CEO of iStaySafe, says the data exposure does not need to be reported under Australian law nor under the European Union's General Data Protection Regulation.

Australia introduced a mandatory breach reporting law that came into force in February 2018. It requires organizations with more than $3 million in turnover to report an incident within 30 days (see: Australia Enacts Mandatory Breach Notification Law).

Cantwell maintains that no one else aside from Beeming and Munro accessed data this time around.

"Our product has not exposed personal data to anyone other than two ethical hackers that brought and issue to our attention," she says. "...I'm sure you would agree that no one is immune to attempted hacking."

Cantwell says that since the first incident, TicTocTrack has invested in penetration tests with CREST-certified partners, web application firewalls and internal data security protocols.

"What our customers are confident of and is evident by their continued use of our products and services is that we employ all possible measures to ensure we mitigate risk wherever possible and maintain data security," she says.

About the Author

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.asia, you agree to our use of cookies.